active directory - allow users to login to OWA and Sharepoint site only, not interactive on desktop PC

Hi there
So we have a requirement to allow certain users to login to their email via OWA and to a Sharepoint site but they should not be permitted to logon to the network in the office on a PC and therefore no access to shared drives etc.
Is there a way to do this in group policy or another way?
many thanks
LVL 2
stack888Asked:
Who is Participating?
 
MaheshArchitectCommented:
Log on to tab in AD will definitely work

You need to create any fake computer account in AD and you need to edit properties of all required users and add this computer account, so that they can't logon to any other computers locally
In addition to above you need to restrict them on Remote Desktop services profile tab as well
U need to select check box "deny this user to logon to remote desktop session host server

Lastly, the below solution should work \ will work 100%
1st create one security group and add all required users to that group
At domain level create new group policy and in that policy enable deny logon locally and deny logon thru terminal services user rights setting and add above group there
These users will not be able to logon to any servers \ desktops trough RDP \ locally

Test any of above solution prior to deploy full flesh

Mahesh
0
 
Hypercat (Deb)Commented:
Have you tried setting their "Log on to" in the AD user properties?  I'm not sure that works, though, I seem to recall in the past admins having a problem with this method.  Another possibility would be to create a special global group with restricted rights and then give that group only the necessary rights to log on to the Sharepoint and OWA sites. For Sharepoint, they would also need the necessary NTFS permissions to access any documents or other services and/or storage areas on your network to use the data that is being served through the Sharepoint site.
0
 
stack888Author Commented:
Mahesh, i ended up using pretty much your solution.
thanks!

This is what i did:

Create a group "Users Denied Interactive Logon", and make the relevant users a member.
Create a Group Policy Object (GPO) linked at the root of the domain called "Deny Interactive Logon"
In the "User Rights Assignment" subnode of the "Local Policies" subnode of the "Security Settings" subnode of the "Windows Settings" subnode of the "Computer Configuration" node I would add "Deny log on locally" permission for "Users Denied Interactive Logon" group.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.